ASD Essential Eight – The Perils of Java

Share on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn0Email this to someone

The Australian Signals Directorate (ASD) published a useful list of prioritised cyber mitigation strategies in February 2017, known as the ASD Essential Eight[1].   User Application Security is one of the eight, including locking down and restricting the permissions of user-facing applications.

Application Platform Java is a Target for Hackers

History has shown us that one such user application platform is regularly targeted by hackers, because of the incredible power it affords developers. In case you hadn’t guessed, we are talking about Java and, in particular, the Java Virtual Machine (JVM), which is the execution environment installed on practically every business computer on the planet. Let’s look more at Java, the JVM and how to tighten your security if you need to install it in your organisation.

Definition: ASD describes application hardening as controls that, “Block web browser access to Adobe Flash Player (uninstall if possible), web ads and untrusted Java code on the Internet.” In general, application hardening is the removal of features that are easily exploited by attackers or permissions that make them more susceptible to cyber-attack.

What is Java?

Java is a programming language and runtime environment, first introduced by Sun Microsystems in 1995. Since then it’s been bought by database giant, Oracle and has grown in popularity to now being ubiquitous across all operating systems. There are countless applications, both client and server side, running on Java and many web applications won’t run without it. It’s this ubiquity that makes Java such an attractive target for hackers, since malware targeting Java applications can target users of Windows, Mac, Unix and Linux systems without much change to the underlying code.

The security risks of Java

There are several ways that Java introduces security risks, so you’ll need to decide what approach is best for your organisation regarding cyber mitigation strategies. Let’s start with malware that targets vulnerabilities within the JVM. These exploits look for weaknesses in the Java execution environment, and since the JVM is the interface between the application and the operating system, it has the means to incorporate operating system commands and functions that are usually not available to standard users. If a hacker finds a way to increase permissions through the JVM, they can often launch privilege escalation attacks and even gain full domain administration rights. For this reason, it’s important that administrators keep an eye on Oracle’s website for any vulnerability notifications and patches and ensure all Java updates are applied as soon as possible. If it’s a critical vulnerability, the best advice is to prioritise this over everything else and roll it out, since no other platform, aside from the operating system itself, creates an attack surface of this size in your business.

Users can download malicious Java applications from infected websites or as so-called drive-by downloads,[2] or they can arrive as email attachments, fooling the user into opening the attachment with a social engineering rouse. Once the hacker has managed to execute their malware on the user’s system, they can go on to use that foothold to steal information, drop additional malware (such as keyloggers or ransomware) or use this hijacked computer as a beachhead for attacking other systems on the network.

Java Cyber Mitigation Strategies

Start by asking yourself if you need Java at all. Apple used to ship Java as a component of the OS X build, but has now shifted to removing it from the base OS X installation thus leaving it to users (and administrators) to install it only if it’s needed. Many businesses roll Java into the Standard Operating Environment (SOE) without needing it, because it was always there as an essential build component of the SOE. If it isn’t required, remove it from your SOE, as this immediately improves your organisation’s security posture. Many companies, however, do require Java for a variety of line of business applications, so there are a few things you can do to keep your users, information and bottom line safe from hackers:

  • Apply security patches as soon as they are available;
  • In the user’s web browser, configure Java applications to run only from trusted sources, such as com.au;
  • Whitelist authorised programmes using Java’s Deployment Rule Set feature[3];
  • Pass all email and website content through gateway content filters.

Note: Some businesses run two separate web browsers on their SOE, one for internal use and one for users to access the Internet. The external web browser does not use Java and has much tighter security settings, while the internal browser has Java enabled and uses less restrictive permissions to allow internal web applications to run.

Businesses that use Windows technology can also look at integrating Microsoft’s Enhanced Mitigation Experience Toolkit[4] (EMET) into their SOE. If EMET detects an indicator of compromise or attack, as demonstrated in many common Java exploits, it halts execution and raises the alarm.

Defend the power of Java

Malicious Java applications are considered trustworthy by users because of their association with a legitimate website or function that the user is trying to use. If users trust a malicious application, they often start downloading additional malware which then starts stealing information, encrypting user data and reaching out on the Internet to other computers, further infiltrating the business.

It’s imperative that administrators and security teams work together to build an application security model that only offers required permissions for business functions while affording additional layers of defences in the SOE. Java, like the variety of other application execution platforms installed with operating systems, provides great power to the developers, but with great power comes the responsibility to understand its weaknesses and defend the business against these systems being used against it.

For more information on how protective monitoring can assist in mitigating security threats, check out our infographic to support you in your work:

[1] The Essential Eight category of User Application Hardening includes controlling of Microsoft Office Macro settings, PowerShell and Java applications. The full list of ASD’s 37 mitigations strategies (including the Essential Eight) can be found here:

https://www.asd.gov.au/publications/Mitigation_Strategies_2017.pdf.

[2] If a victim visits an infected website, the malicious content could target the JVM to run malicious code.

[3] Deployment Rule Set is a feature Java offers for using applications in ever-tightening Java applet and Java Web Start application security policies:

https://docs.oracle.com/javase/7/docs/technotes/guides/jweb/security/deployment_rules.html

[4] https://support.microsoft.com/en-us/help/2458544/the-enhanced-mitigation-experience-toolkit

Fast Track your ASD Essential Eight Compliance